lodcomm
asked on
PIX-to-PIX: How to redirect incoming traffic over VPN
Greetings security professionals.
I have two locations, A and B.
There is a PIX515E (OS 7.1) at each location.
They are linked by a working VPN tunnel.
A's inside address space is 192.168.1.0/24
B's inside address space is 10.0.32.0/24
A has a /24 external (globally routable) address space.
I want to be able to take one of those external addresses on the A-side PIX515E and NAT/"redirect" it over the VPN tunnel to one of B's inside addresses.
For example: 199.120.223.130 -> 10.0.32.251
199.120.223.130 is an external address on A-side.
10.0.32.251 is an inside address on B-side.
I've tried various attempts over the last two days without success. Is this even possible? Any help greatly appreciated.
My current working config is pasted below (routable addresses obscured).
corey
: Saved
:
PIX Version 7.1(2)
!
hostname pix
domain-name corey.com
enable password * encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 198.145.250.2 255.255.255.252
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd * encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name corey.com
same-security-traffic permit intra-interface
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 106 extended permit ip 192.168.1.0 255.255.255.0 10.0.32.0 255.255.255.0
access-list 107 extended permit ip any 10.0.32.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 107
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 199.120.223.129 192.168.1.5 netmask 255.255.255.255
static (inside,outside) 199.120.223.130 10.0.32.251 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 198.145.250.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.7 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map map1 10 match address 106
crypto map map1 10 set peer 79.64.25.118
crypto map map1 10 set transform-set myset
crypto map map1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 79.64.25.118 type ipsec-l2l
tunnel-group 79.64.25.118 general-attributes
tunnel-group 79.64.25.118 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 60
console timeout 0
Cryptochecksum:1575c605c79 9d09351813 140d875e3c 5
: end
I have two locations, A and B.
There is a PIX515E (OS 7.1) at each location.
They are linked by a working VPN tunnel.
A's inside address space is 192.168.1.0/24
B's inside address space is 10.0.32.0/24
A has a /24 external (globally routable) address space.
I want to be able to take one of those external addresses on the A-side PIX515E and NAT/"redirect" it over the VPN tunnel to one of B's inside addresses.
For example: 199.120.223.130 -> 10.0.32.251
199.120.223.130 is an external address on A-side.
10.0.32.251 is an inside address on B-side.
I've tried various attempts over the last two days without success. Is this even possible? Any help greatly appreciated.
My current working config is pasted below (routable addresses obscured).
corey
: Saved
:
PIX Version 7.1(2)
!
hostname pix
domain-name corey.com
enable password * encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 198.145.250.2 255.255.255.252
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd * encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name corey.com
same-security-traffic permit intra-interface
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 106 extended permit ip 192.168.1.0 255.255.255.0 10.0.32.0 255.255.255.0
access-list 107 extended permit ip any 10.0.32.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 107
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 199.120.223.129 192.168.1.5 netmask 255.255.255.255
static (inside,outside) 199.120.223.130 10.0.32.251 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 198.145.250.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.7 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map map1 10 match address 106
crypto map map1 10 set peer 79.64.25.118
crypto map map1 10 set transform-set myset
crypto map map1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 79.64.25.118 type ipsec-l2l
tunnel-group 79.64.25.118 general-attributes
tunnel-group 79.64.25.118 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 60
console timeout 0
Cryptochecksum:1575c605c79
: end
ASKER
The reason I want to do this is simple. I need to temporarily redirect all IP traffic from one physical location to another, and it cannot be done with DNS changes.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
lrmoore, are you sure about not with 7.x
In 7.x they allow for intra-interface traffic. I haven't tried it on 7.x, but will for the hell of it to check. 6.x won't though. However, wouldn't a downfall of the needed configuration(since you are trying to use "any") be that all traffic from either the B network or that host on B have to be routed through the VPN to the A network and then out?
Until 7.x, traffic in PIXs were not allowed to travel between interfaces of the same security level (which of course included going in and out the same interface). However, I have to agree with lrmoore on this one, its either not feasible or possible.
What I would try is do a static to a host on A, then have that host do a translation to the host on B and forward that packet on so that the host on B thinks the request came from the host on A. How you'd do that could be difficult depending upon the A host you use. This way the site-to-site VPN config doesn't need any changing and everything should route fine, provided the A host is properly configured to mangle the IP packet to source nat the packet to itself.
Or am I just wishful thinking that this would work?
In 7.x they allow for intra-interface traffic. I haven't tried it on 7.x, but will for the hell of it to check. 6.x won't though. However, wouldn't a downfall of the needed configuration(since you are trying to use "any") be that all traffic from either the B network or that host on B have to be routed through the VPN to the A network and then out?
Until 7.x, traffic in PIXs were not allowed to travel between interfaces of the same security level (which of course included going in and out the same interface). However, I have to agree with lrmoore on this one, its either not feasible or possible.
What I would try is do a static to a host on A, then have that host do a translation to the host on B and forward that packet on so that the host on B thinks the request came from the host on A. How you'd do that could be difficult depending upon the A host you use. This way the site-to-site VPN config doesn't need any changing and everything should route fine, provided the A host is properly configured to mangle the IP packet to source nat the packet to itself.
Or am I just wishful thinking that this would work?
ASKER
lrmoore, Cyclops3590 --
Thanks for your comments.
corey
Thanks for your comments.
corey
I mean or else you could even do a port redirection, in case if you don't have a static sparable address at B side.
Cheers,
Rajesh